Serial Network Security with Device Routers

As security continues to be in the forefront of the challenges facing designers of industrial networks, legacy systems, using serial intelligent electronic devices (IEDs) and other serial network components that have been operating faithfully for years, have become a significant concern. Typically separate from newer Ethernet deployments, they fall outside any automated security strategy, yet t...


As security continues to be in the forefront of the challenges facing designers of industrial networks, legacy systems, using serial intelligent electronic devices (IEDs) and other serial network components that have been operating faithfully for years, have become a significant concern. Typically separate from newer Ethernet deployments, they fall outside any automated security strategy, yet their splendid isolation can make them a target for attack.

This diagram shows typical network architecture, including serial devices interfaced with the Ethernet core.

This decades-long accumulation of industrial devices that utilize asynchronous, serial protocols for operational applications, such as supervisory control and data acquisition (SCADA) and for industrial device console interfaces, can have its serial communications requirements met via separate networks distinct from Internet protocol (IP)/Ethernet infrastructure. But there is no way to implement managed remote cyber security for traditional serial applications. For an effective communications-system-wide security program, as well as overall network efficiency, it would be better to integrate serial devices on the edge of industrial networks with the central IP/Ethernet network for ease of management and to extend IP-based cyber security features to the serial edge of the network.

Holistic architectures are coming on the market that allow the serial edge to be an integral part of an automated, secure network system. An emerging class of products called serial device routers supports architecture that allows managers to design and control integrated industrial networks that provide monitoring, management, and security for the entire network, including legacy systems.

Integrating industrial networks

A holistic view of the emerging industrial network uses Ethernet switches as a universal connectivity medium at the core of the network, and then surrounds this core with edge and access layers for Ethernet devices, serial devices and wide area network connections. See graphic.

At the Ethernet edge of this architecture, IP-ready industrial devices connect directly to the core network, or via Ethernet edge switches that are deployed near distributed industrial devices. The wide area network (WAN) access element of the architecture enables remote systems or personnel to access industrial devices in the local network. In addition to physical layer interfaces to WAN facilities, WAN access requires IP routing for interconnection of different Ethernet networks and perimeter-security capabilities, such as an IP firewall.

The serial edge has historically been implemented as a separate network. While the Ethernet and serial domains may share a common WAN access element, it has been difficult to share a local Ethernet infrastructure.

Relatively static, dedicated networks have been developed for connecting serial devices and interfaces to central data collectors and/or to basic remote access facilities. Devices may be connected to dedicated modem connections for remote access, or some limited shared WAN access may be provided by a local data concentrator for both an operational data interface, such as SCADA, and a separate interface for serial console access. A major drawback is that static serial edge networks rely on dedicated connections for each application. Thus, adding new industrial devices (ID) or new systems means adding new dedicated connections. Console access to devices is also highly restricted, inhibiting efficient access by remote technical personnel. Connections are hard-wired with no resiliency against faults and no remote management of network elements.

Serial device routers are a class of devices that offer intelligent serial-IP networking, leverage the Ethernet infrastructure to take advantage of the ubiquity, performance, security and resiliency offered by the emerging Ethernet core architecture. A new dynamic serial edge is created by their deployment adjacent to distributed industrial serial devices to provide serial-IP/Ethernet connectivity into the common local core network. Because they are specially designed for industrial applications, these devices can be widely distributed within even the harshest environments. In addition, multiple serial connections may be attached to the same industrial device. For example, both an operational data interface, such as SCADA, and serial console access can share a serial device router.


A serial device router can provide fieldbus connectivity using Modbus/TCP on the existing Ethernet core.

A fieldbus example

Security often has not been a concern of fieldbuses because they are typically closed systems. However, when IP-based devices enter the picture, security with fieldbus systems becomes a concern. Serial device routers have the data manipulation capability and the intelligence to address cyber security concerns.

There are numerous serial devices in industrial control system environments. Many systems have standardized on serial-mode DNP (distributed network protocol) and Modbus protocols. Modbus fieldbus technology allows for serial communications among many devices connected to the same network. For example, Modbus is often used to connect a supervisory computer with a remote terminal unit (RTU) in serial SCADA systems.

Because Modbus is an important and widely deployed serial technology, the ability of a serial device router to integrate Modbus/RTU and Modbus/ASCII serial devices with newer TCP/IP network devices is particularly important. Utilizing Modbus/TCP, an extension of Modbus/RTU, it is possible to encode Modbus messages within and transport over TCP/IP-based networks to support client (master) and server (slave) modes of operation. This approach can integrate Modbus devices into an Ethernet-core integrated industrial network to extend Ethernet-based management and cyber security functionality to Modbus devices in an industrial facility.

Other serial approaches

Like a serial device router, traditional terminal servers, serial device servers, or console servers provide the basic function of serial-to-TCP/IP protocol encapsulation and connectivity to an Ethernet network. Serial device routers, however, integrate the multiple functions of a terminal server, an Ethernet switch and an IP router and firewall, which can enhance management, resiliency and security capabilities for serial devices. Traditional terminal servers and other serial server devices have no intelligence, and therefore no security capability. This may not be a problem if the connected serial devices are in a secure area and access is restricted to trusted employees. For example, use of security techniques such as per-port virtual local area networks (VLANs), are not possible with terminal servers. Today’s emphasis on security preparedness rather than trust, however, suggests that communications management should include a unified security system that is vigilant toward not only external attack, but also unauthorized use by personnel or systems within the installation. An SDR has the flexibility to play many roles in industrial networks, including acting as a perimeter security appliance (such as firewalls and VLANs) for remote locations, as a watchdog for activity on a serial port, or as a layer-3 (IP protocol) gateway among Ethernet network domains.

The serial device router is also designed for industrial environments with hardening to withstand extreme temperatures, electrical surges, EMI, and corrosive, high particulate, or high humidity environments. These hardened devices enable reliable deployment in applications where terminal servers, typically available only in commercial grade, will not operate.

New industrial routers incorporate SDR capabilities to provide WAN connectivity to integrated networks supporting both dynamic Ethernet and dynamic serial edges.

Cyber security features

Cyber security becomes more urgent when remote access is enabled, and remote access is critical for efficient support of many industrial functions. In some industries, such as electric power transmission, implementing remote access brings regulatory obligations for cyber security protection of critical infrastructure. In addition to perimeter security via a WAN-access firewall function, full cyber protection requires rigorous port security for industrial devices including authentication and encryption of serial connections by remote systems and personnel on an end-to-end basis, extending locally to the serial port itself. Serial device routers have IP capability, allowing them to support secure socket layer (SSL) sessions from remote systems and PC-based remote personnel with authentication that is specific to individual serial ports, in addition to high-performance, hardware-assisted encryption of traffic all the way to the edge of the local network. Serial device routers also have the capability for associating serial ports into closed communities of interest using capabilities such as Ethernet 802.1Q VLAN technology, which allows per-port assignment of serial ports within the network to different VLANs.

Business objectives

A serial device router enables the creation of a dynamic serial edge that meets many critical business objectives of industrial network designers and planners. In addition to extending cyber security to the edge of the industrial network for serial devices, and facilitating compliance with cyber security standards, serial device routers can improve network reliability and thus associated operational system and process reliability. The result is improved SCADA system reliability, achieved by increased security and resiliency of local network connections.

Serial device routers protect existing investment in industrial equipment by network-enabling serial devices for access by remote systems and personnel. Deployment of additional industrial devices and systems is made more cost-effective by leveraging the Ethernet core network in industrial environments, including cyber security, and by building for long-term project life cycles with open standards technology.

New and evolving application requirements, such as comprehensive cyber security mandates and heightened concerns for overall system reliability, require new views of industrial network architecture. Serial devices within the network add security challenges because they do not easily fit within IP-enabled security systems. Moreover, each application requires its own individual uplink, adding complexity to new deployments. With an integrated approach to the design and planning of multi-protocol industrial networks now available, network planners and designers can use the emerging product class of serial device routers to facilitate an integrated, secure and reliable industrial network.

Author Information

Howard Linton, is director of application engineering, GarrettCom Inc. Reach him at .

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Choosing controllers: PLCs, PACs, IPCs, DCS? What's best for your application?; Wireless trends; Design, integration; Manufacturing Day; Product Exclusive
Variable speed drives: Smooth, efficient, electrically quite motion control; Process control upgrades; Mobile intelligence; Product finalists: Vote now; Product Exclusives
Machine design tips: Pneumatic or electric; Software upgrades; Ethernet advantages; Additive manufacturing; Engineering Leaders; Product exclusives: PLC, HMI, IO
This article collection contains the 5 most referenced articles on improving the use of PID.
Learn how Industry 4.0 adds supply chain efficiency, optimizes pricing, improves quality, and more.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security